Secure data transformations

ABSTRACT

A system for performing a secure sequence of transformations of a data value, using encrypted representations of the data value is disclosed. The system includes a first transformer for applying a transformation to an input data value to obtain an obfuscated representation thereof. The obfuscated representation contains a redundancy that depends on an input variable. The system further includes a sequence of second transformer for applying a transformation to compute transformed obfuscated representations. The system also includes a fourth transformer for applying a transformation such that a last obfuscated transformed data is obtained. The system further includes a fifth transformer for applying a transformation that depends on the last obfuscated transformed data and the input data.

CROSS-REFERENCE TO PRIOR APPLICATIONS

This application is the U.S. National Phase application under 35 U.S.C.§ 371 of International Application No. PCT/EP2014/077301, filed on Dec.11, 2014, which claims the benefit of European Patent Application No.13198922.0, filed on Dec. 20, 2013. These applications are herebyincorporated by reference herein.

FIELD OF THE INVENTION

The invention relates to computing a transformation of data usingencrypted representations of a data value.

BACKGROUND OF THE INVENTION

In recent years, developments have been made to make computer operationsmore secure. For example, a device may be allowed to decode certaindata, but this capability should not be transferrable to other devicesor users easily.

White-box cryptography is a technology in which function evaluations areperformed by means of pre-computed look-up tables. This technology canbe used to hide the functionality from attackers who may have access tothe code of a program. The look-up tables may be designed in such a waythat a sequence of table look-ups is performed using different look-uptables, to implement an algorithm. The look-up tables may further bedesigned in such a way that the intermediate results in betweensuccessive table look-ups is encoded by means of random bijections.White-box technology is known from for example “White-Box Cryptographyand an AES Implementation”, by S. Chow, P. A. Eisen, H. Johnson, and P.C. van Oorschot, in: Proceeding SAC 2002 Revised Papers from the 9thAnnual International Workshop on Selected Areas in Cryptography, pages250-270, Springer-Verlag London, UK.

US 2012/0300922 A1 discloses a method for generating a correspondencetable suitable for use in a cryptographic processing method andcomprising storing a plurality of input data and of output data in thetable, each input datum being associated with at least one output datumin the table. For each input datum, at least one of the output data isobtained by applying a coding function to a first subsidiary datum andto an encrypted intermediate datum depending on the input datum.

SUMMARY OF THE INVENTION

It would be advantageous to have a system that allows for secureprocessing of data that has improved protection against attacks. In afirst aspect, the invention provides a system for performing a securesequence of n transformations T_(i), wherein i=1, . . . , n, of a datavalue, using encrypted representations of the data value, comprising

first transformation means for applying a transformation to an inputdata value w₀ to obtain an obfuscated representation (X₀, Y₀) of w₀,wherein the obfuscated representation contains a redundancy that dependson an input variable r;

second transformation means for, for each of i=1, . . . , n−1, applyinga transformation u _(i) to compute (X_(i), Y_(i)) from (X_(i−1),Y_(i−1)), such that (X_(i), Y_(i))=u _(i) (X_(i−1),Y_(i−1));

third transformation means for applying a transformation G that dependson X_(n−1), Y_(n−1), and r, by computing w_(n)=G(X_(i−1), Y_(i−1), r),to obtain an outcome of the sequence of transformations, whereinw_(n)=T_(n) ∘ . . . ∘ T₁ (w₀);

wherein (X_(i), Y_(i))=Ψ_(i)(w_(i), σ_(i)), for i=0,1, . . . , n,wherein Ψ_(i) is a predefined obfuscation function that defines aone-to-one relation between (X_(i), Y_(i)) and (w_(i), σ_(i)), andwherein Ψ_(i) satisfies a condition that there is a one-to-one mappingthat maps any value of (X_(i), σ_(i)) to a value of (w_(i), Y_(i)) insuch a way that (X_(i), Y_(i))=Ψ_(i)(w_(i), σ_(i));

σ₀ depends on r; and

wherein w_(i)=T_(i)(w_(i−1)) and σ_(i)=g_(i)(σ_(i−1)) for i=1, . . . , nfor predetermined functions T_(i) and g_(i), wherein w₁, . . . , w_(n−1)and σ₀, . . . σ_(n) are not explicitly computed by the system.

Herein, an operator A is considered to be “linear with respect to theoperator ⊕” if and only if A(x⊕y)=Ax⊕Ay.

This system has the advantage, that it is more difficult to analyze theinner workings of the system by varying input values and analyzingsystem behavior, for example, because a change of an intermediatevariable (for example X_(i) or Y_(i), for some i) by an attacker maycause a change of the state σ_(n). Because of this, the result of thefifth transformation means will become unpredictable, as thetransformation F (X_(n), r) uses r to mix an expected value of σ withthe information relating to σ that is present in X_(n). If r and theinformation relating to σ that is present in X_(n) do not correspond tothe same value of σ, the output of the fifth transformation means may beerratic, which complicates the analysis an attacker has to perform tounderstand the system.

The third transformation means may comprise fourth transformation meansfor applying a transformation u_(n) such that X_(n)=u_(n)(X_(n−1),Y_(n−1)); and fifth transformation means for applying a transformation Fby computing w_(n)=F (X_(n), r), to obtain an outcome of the sequence oftransformations, wherein w_(n)=T_(n) ∘ . . . ∘ T₁(w₀). This allows anefficient implementation. If the transformations are implemented in formof look-up tables, this feature allows the implementation of the look-uptables with reduced memory space.

In an example, (X_(i), Y_(i))=(w_(i), σ_(i)) is defined as follows fori=0,1, . . . , n:X _(i)=Ψ_(i) ^(X)(A _(i)(φ_(i) ¹(w _(i)))⊕B _(i)(φ_(i) ²(σ_(i))))Y _(i)=Ψ_(i) ^(Y)(C _(i)(φ_(i) ¹(w _(i)))⊕D _(i)(φ_(i) ²(σ_(i))))wherein

⊕ is an operator,

A_(i), B_(i), C_(i), and D_(i) are operators that are linear withrespect to the operator ⊕, the operators A_(n) and D_(n) are invertibleand an operator Σ_(i) that maps (u, v) to (A_(i)(u)⊕B_(i)(v),C_(i)(u)⊕D_(i)(v)) is invertible;

Ψ_(i) ^(X), Ψ_(i) ^(Y), φ_(i) ¹, and φ_(i) ² are invertible mappings.

This example of the obfuscation function provides for a relatively easydesign of the system. The operators Ψ_(i) ^(X) and Ψ_(i) ^(Y), may beused to replace or implement Ψ_(i). In this example, an operator G isconsidered to be linear with respect to the operator ⊕ if it generallyholds that G(x⊕y)=G(x)⊕G(y).

For example, A_(i) and D_(i) are invertible linear operators for alli=0,1, . . . , n.

For example, r equals w₀. This means that the state variable σ₀ dependson w₀. The relation between the input data w₀ and the state variable σ₀may remain unclear to the attacker by obfuscating this relation with therelation implemented by the first transformation means, for example byimplementing the relation between the input data w₀ and the obfuscatedrepresentation (X₀, Y₀) using a look-up table, in such a way that thevalue σ₀ is not computed as an intermediate result in the system.

For example, g_(n−1) ∘ . . . ∘ g₁ has a computational complexity that issmaller than a computational complexity of u _(n−1) ∘ . . . ∘ u ₁. Thisallows that the transformation F has a relatively small computationalcomplexity. For example, the computational complexity of g_(n-1) ∘ . . .∘ g₁ does not depend on n.

For example, g_(n−1) ∘ . . . ∘ g₁ is an identity function. This makes iteasy to design F (X_(n), r), as the value of σ₀ is also implicitly usedin its dependence on r in the first transformation means.

For example, the operator ⊕ is a bitwise XOR operation.

For example, at least one of the first, second, third, fourth, and fifthtransformation means are configured to look up a transformed value in alook-up table. For example, each of the first, second, and thirdtransformation means are configured to look up a transformed value in alook-up table. In another example, each of the first, second, fourth,and fifth transformation means are configured to look up a transformedvalue in a look-up table. These examples allow for a particularly secureimplementation, as the look-up table allows to hide any used algorithm.

Another aspect comprises a method of providing a system for performing asecure sequence of n transformations wherein i=1, n, to a data value,using encrypted representations of the data value, the method comprising

providing first transformation means and configuring the firsttransformation means to apply a transformation to an input data value w₀to obtain an obfuscated representation (X₀, Y₀) of w₀, wherein theobfuscated representation (X₀, Y₀) contains a redundancy that depends onan input variable r;

providing second transformation means and configuring the secondtransformation means to, for each of i=1, . . . , n−1, apply atransformation u _(i) to compute (X_(i), Y_(i)) from (X_(i−1), Y_(i−1)),such that (X_(i), Y_(i))=u _(i)(X_(i−1), Y_(i−1));

providing fourth transformation means and configuring the fourthtransformation means to apply a transformation u_(n) such thatX_(n)=u_(n)(X_(n−1), Y_(n−1)); and

providing fifth transformation means and configuring the fifthtransformation means to apply a transformation F such that w_(n)=F(X_(n), r), to obtain an outcome of the sequence of transformations,wherein w_(n)=T_(n) ∘ . . . ∘ T₁(w₀);

wherein (X_(i),Y_(i))=Ψ_(i)(w_(i), σ_(i)), for i=0,1, . . . , n, whereinΨ_(i) is a predefined obfuscation function that defines a one-to-onerelation between (X_(i),Y_(i)) and (w_(i), σ_(i)), and wherein Ψ_(i)satisfies a condition that there is a one-to-one mapping that maps anyvalue of (X_(i), σ_(i)) to a value of (w_(i), Y_(i)) in such a way that(X_(i), Y_(i))=Ψ_(i)(w_(i), σ_(i));

σ₀ depends on r;

wherein w_(i)=T_(i)(w_(i−1)) and σ_(i)=g_(i)(σ_(i−1)) for i=1, . . . , nfor predetermined functions T_(i) and g_(i);

wherein the first transformation means, the second transformation means,the fourth transformation means, and the fifth transformation means areconfigured to obfuscate the values of w₁, . . . , w_(n−1) and σ₀, . . .σ_(n).

This method allows to generate the system.

The step of configuring the second transformation means may comprisecomputing at least one look-up table of at least one of the functions u_(i), wherein the look-up table maps values of (X_(i−1), Y_(i−1)) tovalues of (X_(i), Y_(i)), by computing (X_(i), Y_(i))=u _(i) (X_(i−1),Y_(i−1))=Ψ_(i) (T_(i)(Ψ_(i−1) ^(inverse) (X_(i−1), Y_(i−1))) g_(i)(Ψ_(i−1) ^(inverse) (X_(i−1), Y_(i−1)))),

wherein Ψ_(i−1) ^(inverse) is an inverse of Ψ_(i−1). This way, thealgorithmic steps involved in computing u _(i) may be hidden in one ormore look-up tables. The use of look-up tables allows for furtherobfuscation techniques, including above-mentioned white-boximplementations.

Alternatively, the step of configuring the second transformation meansmay comprise computing at least one look-up table of at least one of thefunctions u _(i), wherein the look-up table maps values of (X_(i−1),Y_(i−1)) to values of (X_(i), Y_(i)), by computing(X _(i) , Y _(i))=u _(i)(X _(i−1) , Y _(i−1))=ƒ(T_(i)(ƒ_(i)^(inverse)(X_(i−1), Y_(i−1)))),wherein ƒ_(i) denotes a function defined byƒ_(i)(w _(i), σ_(i))=(Ψ_(i) ^(X)(A _(i)(φ_(i) ¹(w _(i)))⊕B_(i)(φ_(i)²(σ_(i)))), Ψ_(i) ^(Y)(C _(i)(φ_(i) ¹(w _(i)))⊕D _(i)(φ_(i) ²(σ_(i))))),and ƒ_(i) ^(inverse) is an inverse of ƒ_(i). This way, the algorithmicsteps of involved in computing ƒ_(i), ƒ_(i) ^(inverse), and T_(i) may behidden in one or more look-up tables. The use of look-up tables allowsfor further obfuscation techniques, including above-mentioned white-boximplementations.

For example, r equals w₀, and the step of configuring the thirdtransformation means comprises computing at least one look-up tablerepresenting the function G, wherein the at least one look-up table mapstuples of G(X_(i−1), Y_(i−1), w₀) to corresponding values ofw_(n)=G(X_(i−1), Y_(i−1), w₀). In a related example, the step ofconfiguring the fifth transformation means comprises computing at leastone look-up table representing the function F, wherein the at least onelook-up table maps pairs of (X_(n), w₀) to corresponding values ofw_(n)=F(X_(n), w₀). In these examples, the algorithmic steps of involvedin computing G or F or may be hidden in one or more look-up tables. Theuse of look-up tables allows for further obfuscation techniques,including above-mentioned white-box implementations.

According to another aspect, a method is provided for performing asecure sequence of n transformations T_(i), wherein i=1, . . . , n, to adata value, using encrypted representations of the data value, themethod comprising

applying a transformation to an input data value w₀, to obtain anobfuscated representation (X₀, Y₀) of w₀, wherein the obfuscatedrepresentation contains a redundancy that depends on an input variabler;

for each of i=1, . . . , n−1, applying a transformation u _(i) tocompute (X_(i),Y_(i)) from (X_(i−1), Y_(i−1)), such that (X_(i),Y_(i))=u _(i) (X_(i−1), Y_(i−1));

applying a transformation G that depends on X_(n−1), Y_(n−1), and r, bycomputing w_(n)=G(X_(i−1), Y_(i−1), r), to obtain an outcome of thesequence of transformations, wherein w_(n)=T_(n) ∘ . . . ∘ T₁(w₀);

wherein (X_(i), Y_(i))=Ψ_(i)(w_(i), σ_(i)), for i=0,1, . . . , n,wherein Ψ_(i) is a predefined obfuscation function that defines aone-to-one relation between (X_(i), Y_(i)) and (w_(i), σ_(i)), andwherein Ψ_(i) satisfies a condition that there is a one-to-one mappingthat maps any value of (X_(i), σ_(i)) to a value of (w_(i), Y_(i)) insuch a way that (X_(i), Y_(i))=Ψ_(i)(w_(i), σ_(i));

σ₀ depends on r;

wherein w_(i)=T_(i)(w_(i−1)) and σ_(i)=g_(i)(σ_(i−1)) for i=1, . . . , nfor predetermined functions T_(i) and g_(i), wherein w₁, . . . , w_(n−1)and σ₀, . . . σ_(n) are obfuscated in the steps of applying atransformation.

In a particular example, the step of applying the transformation Gcomprises applying a transformation u_(n) such that X_(n)=u_(n)(X_(n−1),Y_(n−1)); and applying a transformation F such that w_(n)=F (X_(n), r),to obtain an outcome of the sequence of transformations, whereinw_(n)=T_(n) ∘ . . . ∘ T₁(w₀).

According to another aspect, a computer program product is providedcomprising instructions for causing a processor system to perform themethod set forth herein.

The person skilled in the art will understand that the featuresdescribed above may be combined in any way deemed useful. Moreover,modifications and variations described in respect of the system maylikewise be applied to the method and to the computer program product,and modifications and variations described in respect of the method maylikewise be applied to the system and to the computer program product.

BRIEF DESCRIPTION OF THE DRAWINGS

In the following, aspects of the invention will be elucidated by meansof examples, with reference to the drawings. The drawings arediagrammatic and may not be drawn to scale. Throughout the drawings,similar items are indicated with the same reference numerals.

FIG. 1 is a block diagram of a system for securely performing a sequenceof transformations.

FIG. 2 is a diagram illustrating a method including a sequence of securedata transformations.

FIG. 3 is a diagram illustrating a method of providing a system as shownin FIG. 1.

DETAILED DESCRIPTION OF EMBODIMENTS

In many applications, it is necessary to apply a transformation T on aninput data w₀. For complexity reasons or other reasons, is may bedesirable that T be computed by successively applying transformationsT₁, . . . , T_(n). That is, for 1≤i≤n, the following computational stepis performed:w _(i) =T _(i)(w _(i−1)).The transformations T₁, . . . , T_(n) are selected in such a way thatthe result of this iteration, w_(n), is equal to T (w₀). However, itwould be desirable to hide the algorithms used in the transformations,and/or it would be desirable that the intermediate values, w₁, . . . ,w_(n−1), be hidden from a malicious user, even if the malicious user hasfull access to the device, including access to the working memory, oreven if the malicious user has capability to use debugging tools toanalyze the application.

Therefore, instead of computing the values of w₁, . . . , w_(n−1)explicitly, alternate values z₁, . . . , z_(n−1) are computed in whichthe values of w₁, . . . , w_(n−1), respectively, are hidden. The valuesz₁, . . . , z_(n−1) contain more information bits than the values w₁, .. . , w_(n−1), because the value of a redundant state variable σ_(i) isalso represented by the values z₁, . . . , z_(n−1). In a preferredexample, the value of w_(n) is computed from z₇, and w₀.

Some notation is introduced which will be used in the explanationshereinafter. For 0≤i≤n, the set of potential values of w_(i) is denotedby W_(i). For 0≤i≤n, a non-empty “state set” Σ_(i) contains the possiblevalues of state variable σ_(i). To avoid trivialities, it is assumedthat Σ₀ has at least two elements; preferably, each Σ_(i) has at leasttwo elements, and even more preferably, each Σ_(i) has more than twoelements. For 0≤i≤n−1, a secret “next-state” function g_(i):Σ_(i)→Σ_(i+1) is chosen to define σ_(i+1)=g_(i)(σ_(i)). Moreover, asecret “state-introduction” function s: W_(i)→Σ₀ is chosen, so thatσ₀=s(w₀). Finally, for 0≤i≤n, a set Z_(i) of cardinality|W_(i)|·|Σ_(i)|, and a secret one-to-one mapping ƒ_(i):W_(i)×Σ_(i)→Z_(i) are chosen. For example, Z_(i)=W_(i)×Σ_(i). Themapping ƒ_(i) describes the relation between values z_(i) that arecomputed by the secure computing device and the corresponding values of(w_(i), σ_(i)), wherein w_(i) is the processed data and σ_(i) is aredundant state variable that helps obfuscate w_(i) in itsrepresentation z_(i).

Let 1≤i≤n. By definition, z_(i)=ƒ_(i)(w_(i),σ_(i))=ƒ_(i)(T_(i)(w_(i−1)),g_(i)(σ_(i−1))). As ƒ_(i−1) is invertible, it is possible to computew_(i−1) and σ_(i−1) as (w_(i−1), σ_(i−1))=ƒ_(i−1) ^(inverse)(z_(i−1)).Consequently, it is possible to compute z_(i) from z_(i−1) by firstcomputing (w_(i−1), σ_(i−1))=ƒ_(i−1) ^(inverse) (z_(i−1)) and thenz_(i)=ƒ_(i)(w_(i), σ_(i))=ƒ_(i)(T_(i)(w_(i-1)), g_(i)(σ_(i−1))). Thiscomputation could be performed without computing the intermediate valuesof (w_(i−1), σ_(i−1)) or (w_(i), σ_(i)), for example by tabulatingvalues of z_(i) and corresponding z_(i−1), or another obfuscatedcomputation of a function u _(i) that computes z_(i) from z_(i−1), sothat z_(i) and corresponding z_(i−1), (X_(i),Y_(i)) from (X_(i-1),Y_(i−1)), such that z_(i)=u _(i) (z_(i−1)).

Note that z_(i) may be divided into two components, so thatz_(i)=(X_(i), Y_(i)), for 1≤i≤n. That is, the information of each ofw_(i) and σ_(i) may be distributed over both components X_(i) and Y_(i).In a specific example, Z_(i)=W_(i)×Σ_(i) and thus X_(i)∈W_(i) andY_(i)∈Σ_(i). Alternatively, X_(i) is selected from a set of cardinality|W_(i)| and Y_(i) is selected from a set of cardinality |Σ_(i)|.

The computation may be started by computing z₀=(X₀, Y₀) from w₀ using(X₀, Y₀)=ƒ₀ (w₀, s(w₀)). Herein, s(w₀) denotes a function that computesa state value σ₀ from the input value w₀. The function s (w₀) and ƒ₀ maybe combined, for example in a look-up table, to hide the value of σ₀from an attacker. Alternatively, the value of σ₀ may depend on anotherinput data element r instead of w₀.

Because of the way in which the pairs z_(i)=(X_(i), Y_(i)) are computedby the electronic device (described above), it follows that these valuesz_(i)=(X_(i), Y_(i)) depend on the input value w₀ and optionally on theextra input element r. Similarly, the values of σ_(i) (although notcomputed by the electronic device) depend on w₀ and/or optionally on theextra input element r.

If the electronic device computes z_(n)=(X_(n), Y_(n)) in the waydescribed above, it can compute w_(n)=ƒ_(n) ^(inverse) (z_(n)). However,with a proper constraint in place, it is also possible to compute w_(n)from X_(n) and w₀ (and/or r, if σ₀ depends on r). This constraint is asfollows: For any two values w ∈ W_(n) and w′ ∈ W_(n) with w≠w′, and anyσ ∈ Σ_(n), wherein (X, Y)=ƒ_(n)(w, σ) and (X′, Y′)=ƒ_(n)(w′, σ), itshould hold that X≠X′. If this property holds, then it is possible toconstruct a transformation, for example a look-up table, which mapspairs of X_(n) and w₀ (or pairs of X_(n) and r) to the correspondingvalues of w_(n). In such a case it is not necessary to compute Y_(n).This may make it more difficult to extract information from theelectronic device by varying the values of X_(i) and/or Y_(i).

In this description, ƒ_(i) may also be denoted by Ψ_(i). These symbolshave the same meaning in this description. Accordingly, (X_(i),Y_(i))=Ψ_(i)(w_(i), σ_(i)), for i=0,1, . . . , n. Herein, Ψ_(i) is apredefined obfuscation function that defines a one-to-one relationbetween (X_(i), Y_(i)) and (w_(i), σ_(i)). In order to be able todetermine w_(n) on the basis of X_(n) and σ_(n), without needing thevalue of Y_(n), the function Ψ_(n) may be selected such that Ψ_(n)satisfies a condition that there is a one-to-one mapping that maps anyvalue of (X_(n), σ_(n)) to a value of (w_(n), Y_(n)) in such a way that(X_(n), Y_(n))=Ψ_(n)(w_(n), σ_(n)). Such a function may be designed bytrial and error. A class of functions for which the condition holds isgiven in the following example.

Hereinafter, a particular example will be described, in which moredetailed examples are given for several components of the algorithm. Inthis example, there are positive integers p and q such that for all i,W_(i)={0,1}^(p) and Σ_(i)={0,1}^(q). Moreover,Z_(i)=W_(i)×Σ_(i)={0,1}^(p)×{0,1}^(q). It is noted that this isequivalent to setting Z_(i)={0,1}^(p+q).

In an even more detailed example, in addition to the sets selected inthe previous example, the functions ƒ_(i) are selected such thatƒ_(i)(w_(i),σ_(i))=(X_(i), Y_(i)), whereinX _(i)=Ψ_(i) ^(X)(A _(i)(φ_(i) ¹(w _(i)))⊕B _(i)(φ_(i) ²(σ_(i))))Herein, ⊕ indicates the bit-wise modulo operation. A_(i) is aninvertible linear mapping from {0,1}^(p) onto {0,1}^(p). D_(i) is aninvertible linear mapping from {0,1}^(q) onto {0,1}^(q). B_(i) is alinear mapping from {0,1}^(q) onto {0,1}^(p). C_(i) is a linear mappingfrom {0,1}^(p) onto {0,1}^(q). The superscripts of functions denoteindices. The linear mapping E_(i) that maps (u, v) to(A_(i)(u)⊕B_(i)(v), C_(i)(u)⊕D_(i)(v)) is invertible. φ_(i) ¹ and Ψ_(i)^(X) are invertible mappings on {0,1}^(p) which may be non-linear. φ_(i)² and Ψ_(i) ^(Y) are invertible mappings on {0,1}^(q) which may benon-linear. In case p≠q, it is preferred that B_(i) and C_(i) are alsoinvertible. In case p≠q, it is preferred that the matrices correspondingto the linear mappings B_(i) and C_(i) have full rank.

In principle it is possible to compute the value of w_(n) fromz_(n)=(X_(n), Y_(n)) using the above equations. However, in a preferredexample, the device does not compute Y_(n), but only computes X_(n). Inthat case the device is configured to compute w_(n) from X_(n) and w₀(or r, as the case may be).

It is noted thatX _(n)=Ψ_(n) ^(X)(A _(n)(φ_(n) ¹(w _(n)))⊕B _(n)(φ_(n) ²(σ_(n)))).As Ψ_(n) ^(X) is invertible, it is possible to compute the value ofA_(n)(φ_(n) ¹(w_(n)))⊕B_(n)(φ_(n) ²(σ_(n))) from given X_(n). Moreover,as σ_(n) may be obtained from w₀ (or r, as the case may be), it ispossible to compute B_(n)(φ_(n) ²(σ_(n))) from w₀ (or r, as the case maybe). From this information, w_(n) can be determined. Preferably, w_(n)is directly obtained from X_(n) and w₀ without revealing any of theintermediate results mentioned in this paragraph. For example, therelationship may be stored in a table or multiple tables. Multipletables may be used, for example, if one or more bits of w_(n) do notdepend on all bits of w₀ and/or all bits of X_(n).

For example, g_(n−1) ∘ . . . ∘ g₁ has a computational complexity that issubstantially smaller than a computational complexity of u _(n−1) ∘ . .. ∘ u ₁. This allows that w_(n) can be computed from X_(n) and r with arelatively small computational complexity. For example, thecomputational complexity of g_(n−1) ∘ . . . ∘ g₁ does not depend on n.

For example, g_(n−1) ∘ . . . ∘ g₁ is an identity function. This makes iteasy to design F(X_(n), r), as the value of σ is also implicitly used inits dependence on r in the first transformation means.

FIG. 1 illustrates an embodiment of a system for performing a securesequence of transformations. In the illustrations, several processingmeans have been denoted by rectangles, sometimes with a correspondingsymbol used in this description inside the rectangle. Moreover, dataelements have been indicated by their variable symbol and a sketchedarray symbolizing a bit sequence of a given length. However, the actuallength of the bit sequence of each data element may be varied. Thedrawings do not indicate the actual length of the data elements. Thesystem may be implemented on a single processing device, such as aproperly programmed computer, a smartphone, or a smartcard. The systemmay also be distributed over several different processing devices.

The system comprises a data input unit 111 for determining an input datavalue w₀. For example, the input unit 111 is configured to receive theinput data value via a communications subsystem of the device.Alternatively, the input unit 111 may be configured to receive the inputdata value from a memory, which may be an internal memory or an externalmemory. The system further comprises a first transformation means 101for applying a transformation to the input data value w₀ to obtain theobfuscated representation (X₀, Y₀) of w₀ such that (X₀, Y₀)=ƒ₀ (w₀,s(w₀)). In a specific example, w₀, σ₀=s(w₀), X₀, and Y₀ all are datavalues having the same number of bits.

The system further comprises a second transformation means 102. Thesecond transformation means 102 comprises one or more furthertransformation means 110. A further transformation means 110 implementsu _(i) for a particular value of i, wherein i=1, . . . , n−1. The secondtransformation means 102 is configured to apply the furthertransformation means 110 to the obfuscated data in one or moreiterations. More specifically, the further transformation means 110computes (X_(i), Y_(i))=u _(i)(X_(i−1), Y_(i−1)), for i=1, . . . , n−1,wherein n is the number of transformations to be performed. It will beunderstood that the further transformation means 110 may compute adifferent operation in each iteration; that is, u _(i) may be adifferent operation for each i=1, . . . , n−1. However, this is not alimitation as some or all of the u _(i) could be identical operations.

The system further comprises a third transformation means configured toapply a transformation G that depends on X_(n−1), Y_(n−1), and r, bycomputing w_(n)=G (X_(n−1), Y_(n−1), r), to obtain an outcome of thesequence of transformations, wherein w_(n)=T_(n) ∘ . . . ∘ T₁ (w₀) .Herein, G is defined as G (X_(n−1), Y_(n−1), r)=F (u_(n)(X_(n−1),Y_(n−1)), r). In the example embodiment illustrated in FIG. 1, the thirdtransformation means is implemented as a combination of a fourthtransformation means 103 and a fifth transformation means 104.

The fourth transformation means 103 is configured to compute X_(n) usingthe transformation u_(n), so that X_(n)=u_(n)(X_(n-1), Y_(n−1)). Thecomputation of Y_(n) may thus be omitted.

The fifth transformation means 104 is configured to receive the valueX_(n) from the fourth transformation means 103 and the value w₀ tocompute w_(n) using a function F such that w_(n)=F (X_(n),w₀). Forexample, the fifth transformation means 104 receives the value w₀ fromthe data input unit 111.

The system further comprises an output unit 112 configured to receivethe computed value of w_(n) from the fifth transformation means 104 andforward the value of w_(n) to other components of the system (notshown), and/or store the value of w_(n) in a memory. For example, theoutput unit 112 may be configured to display a visualization of the dataw_(n) on a display device and/or reproduce the data on an audio device.

In a specific example, the second transformation means 102, one or moreof the further transformation means 110, and/or the fourthtransformation means may receive further operand value(s), for examplefrom an external source or from another computational unit of thesystem. In such a case, for example the function u_(i) has the form(X_(i), Y_(i))=u _(i)(X_(i−1), Y_(i−1); X′, Y′), wherein (X′, Y′)denotes an obfuscated representation of another data element w′ withstate parameter σ′. This obfuscated representation may have a similarform as the ones described herein. Alternatively, the further operandvalue(s) may be provided in the clear, that is, u_(i) may have the form(X_(i),Y_(i))=u _(i)(X_(i−1), Y_(i−1); w′), wherein w′ denotes a furtherdata element that is not obfuscated.

In a specific variation of the system shown in FIG. 1, the firsttransformation means 101 may be configured to receive a furtherparameter r (not shown in the drawing), and the redundancy in theobfuscated representation (X₀, Y₀) of w₀ may depend on an input variabler, as explained above. In such a case, the same further parameter r isprovided also to the third transformation unit and/or the fifthtransformation unit 104, so that for example the fifth transformationunit 104 can compute the value of w_(n) in dependence on both X_(n) andr.

It is noted that the first transformation means 101, the secondtransformation means 102, the third transformation means, the fourthtransformation means 103, and/or the fifth transformation means 104 maybe implemented by means of look-up tables. For example, the firsttransformation means 101, the further transformation means 110 of thesecond transformation means 102, the fourth transformation means 103,and the fifth transformation means 104 may each be implemented by asingle look-up table. Alternatively, it is possible to use a pluralityof look-up tables that are designed to be applied cooperatively by oneof the transformation means, to implement one of the transformationstogether.

Optionally, these look-up tables may be obfuscated further by encodingthe inputs and outputs of the look-up tables using techniques known frome.g. Chow et al. The look-up tables are an example of how thetransformations can be performed without revealing intermediate resultswhich should remain hidden, such as values of σ_(i), for i=0, . . . , n,and in particular σ₀ which plays a role in the first and fifthtransformation means (or more generally, in the first and thirdtransformation means).

FIG. 2 illustrates a method of performing a secure sequence of ntransformations T_(i), wherein i=1, . . . , n, to a data value, usingencrypted representations of the data value. The method comprises a step201 of applying a transformation to an input data value w₀ to obtain anobfuscated representation (X₀, Y₀) of w₀, wherein the obfuscatedrepresentation (X₀, Y₀) contains a redundancy that depends on an inputvariable r.

Next, in step 206, an index value i is initialized by setting i=1.

Next, the method proceeds with step 202 of applying a transformation u_(i) to compute (X_(i), Y_(i)) from (X_(i−1), Y_(i−1)), such that(X_(i), Y_(i))=u _(i)(X_(i−1), Y_(i−1)). After applying thetransformation, i is increased by one.

Next, the method proceeds with step 203 of verifying whether theiteration is complete, by checking whether i=n. If i≠n, the methodrepeats step 202 with the updated value of i.

If i=n at step 203, the method proceeds with step 204 of applying atransformation u_(n) such that X_(n)=u_(n)(X_(n−1), Y_(n−1)). Next, themethod proceeds with step 205 of applying a transformation F such thatw_(n)=F (X_(n), r), to obtain an outcome of the sequence oftransformations, wherein w_(n)=T_(n) ∘ . . . ∘ T₁(w₀). It is noted thatstep 204 and step 205 may be combined in a single step.

In the above method, the symbols are as explained above in thisdescription for several examples.

For example, for i=0, 1, . . . , nX _(i)=Ψ_(i) ^(X)(A _(i)(φ_(i) ¹(w _(i)))⊕B _(i)(φ_(i) ²(σ_(i))))Y _(i)=Ψ_(i) ^(Y)(C _(i)(φ_(i) ¹(w _(i)))⊕D _(i)(φ_(i) ²(σ_(i))))wherein

⊕ is an operator,

A_(i), B_(i), C_(i), and D_(i) are operators that are linear withrespect to the operator ⊕, the operators A_(i) and D_(i) are invertibleand the operator E_(i) that maps (u, v) to (A_(i)(u)⊕B_(i)(v),C_(i)(u)⊕D_(i)(v)) is invertible;

Ψ_(i) ^(X), Ψ_(i) ^(Y), φ_(i) ¹, and φ_(i) ² are invertible mappings;

σ₀ depends on r;

wherein w_(i)=T_(i)(w_(i−1)) and σ_(i)=g_(i)(σ_(i−1)) for i=1, . . . , nfor predetermined functions T_(i) and g_(i), wherein w₁, . . . , w_(n−1)and σ₀, . . . σ_(n) are not explicitly computed by the system.

FIG. 3 illustrates a method of providing a system for performing asecure sequence of n transformations T_(n, wherein i=)1, . . . , n, to adata value, using encrypted representations of the data value.

The method commences with step 301 of providing first transformationmeans 101 and configuring the first transformation means 201 to apply atransformation to an input data value w₀ to obtain an obfuscatedrepresentation (X₀, Y₀) of w₀, wherein the obfuscated representation(X₀, Y₀) contains a redundancy that depends on an input variable r.

The method proceeds in step 302 with providing the second transformationmeans 102. In step 311, an index value i is initialized by setting i=1.Next, in step 310, a further transformation means 110 is included intothe second transformation means 102. This further transformation means110 is configured to apply a transformation u_(i) to compute (X_(i),Y_(i)) from (X_(i−1), Y_(i−1)), such that (X_(i), Y_(i))=u _(i)(X_(i−1),Y_(i−1)). Thereafter, the index value i is incremented. In step 312, itis checked whether i=n. If i≠n in step 312, the method repeats step 310with the updated value of i.

If i=n at step 312, the method proceeds with step 303 of providingfourth transformation means 103 and configuring the fourthtransformation means 103 to apply a transformation u_(n) such thatX_(n)=u_(n)(X_(n−1), Y_(n−1)).

Next, in step 304, the method proceeds with providing fifthtransformation means 104 and configuring the fifth transformation means104 to apply a transformation F such that w_(n)=F(X_(n), r), to obtainan outcome of the sequence of transformations, wherein w_(n)=T_(n) ∘ . .. ∘ T₁(w₀).

It is noted that steps 303 and 304 may be combined such that a thirdtransformation means is provided that applies the transformation G, asexplained above.

The method steps are performed in such a way that the firsttransformation means, the second transformation means, the fourthtransformation means, and the fifth transformation means are configuredto obfuscate the values of w₁, . . . , w_(n−1) and σ₀, . . . σ_(n). Inparticular, the first transformation means 101 and the fifthtransformation means 104 are configured such that they obfuscate thevalue of σ₀, which depends on r (or on w₀, as explained hereinabove),for example by creating a shortcut in the computation that directlygenerates the end result w_(n) based on X_(n) and r (or based on X_(n)and w₀).

A particular example of such obfuscation is given by providing look-uptables for the most vulnerable transformations. For example, step 302 ofconfiguring the second transformation means may comprise computing atleast one look-up table of at least one of the functions u _(i), whereinthe look-up table maps values of (X_(i−1), Y_(i−1)) to values of (X_(i),Y_(i)). This look-up table may be computed by computing, for appropriatevalues of (X_(i−1),Y_(i−1)):(X _(i) ,Y _(i))=u _(i)(X _(i−1) ,Y _(i−1))=ƒ _(i)(T _(i)(ƒ _(i−1)^(inverse)(X _(i−1) ,Y _(i−1))),g _(i)(ƒ _(i−1) ^(inverse)(X _(i−1) , Y_(i−1)))),wherein ƒ_(i) denotes a function defined byƒ _(i)(w _(i),σ_(i))=(Ψ_(i) ^(X)(A _(i)(φ_(i) ¹(w _(i)))⊕B _(i)(φ_(i)²(σ_(i)))), Ψ_(i) ^(Y)(C _(i)(φ_(i) ¹(w _(i))⊕D _(i)(φ_(i) ²(σ_(i))))),and ƒ_(i) ^(inverse) is an inverse of ƒ_(i). In the above equations,T_(i) uses only the component w_(i) of ƒ_(i−1) ^(inverse) is g_(i) usesonly the component σ_(i) of ƒ_(i) ^(inverse).

The fourth transformation may contain a look-up table similar to theabove, withX _(n) =u _(n)(X_(n−1), Y_(n−1))=Ψ_(n) ^(X)(A _(n)(φ_(n) ¹(T_(n)(ƒ_(n−1) ^(inverse)(X _(n−1) , Y _(n−1)))))⊕B _(n)(φ_(n) ²(g_(n)(ƒ_(n−1) ^(inverse)(X _(n−1) , Y _(n−1)))))),wherein T_(n) uses only the component w_(n−1) of ƒ_(n−1) ^(inverse) theoutput values of Y_(n) are omitted.

In another example, in the specific example in which r=w₀, step 301 ofconfiguring the first transformation may comprise providing a look-uptable of the function that maps values of w₀ to corresponding values of(X₀, Y₀). This relation may be given by (X₀, Y₀)=Ψ_((w) ₀, s(w₀)), asdescribed above, wherein s (w₀) is a secret mapping that maps the valueof w₀ to σ₀. By providing tabulated values of w₀ and correspondingvalues of (X₀, Y₀), the system may apply the transformation withoutcomputing a value of σ₀. According to the more specific example that isdescribed above, the relation implemented by the look-up table of thefirst transformation means may be given byX ₀=Ψ₀ ^(X)(A ₀(φ₀ ¹(w ₀))⊕B ₀(φ₀ ²(s(w ₀)))),Y ₀=Ψ₀ ^(Y)(C ₀(φ₀ ¹(w ₀))⊕D ₀(φ₀ ²(s(w ₀)))),

In another example, in which r=w₀, step 304 of configuring the fifthtransformation may comprise providing a look-up table of the function F.This table may map pairs of (X_(n), w₀) to corresponding values ofw_(n)=F (X_(n), w₀) .

Similar tables may be prepared for the case where r is a different inputvalue separate of w₀.

A system for performing a secure sequence of transformations of a datavalue, using encrypted representations of the data value may beprovided. The system comprises first transformation means for applying atransformation to an input data value to obtain an obfuscatedrepresentation thereof, wherein the obfuscated representation contains aredundancy that depends on an input variable. The system comprises asequence of second transformation means for applying a transformation tocompute transformed obfuscated representations. The system furthercomprises fourth transformation means for applying a transformation suchthat a last obfuscated transformed data is obtained. The systemcomprises fifth transformation means for applying a transformation thatdepends on the last obfuscated transformed data and the input data.

Some or all aspects of the invention may be suitable for beingimplemented in form of software, in particular a computer programproduct. Such computer program product may comprise a storage media onwhich the software is stored. Such a storage media may comprise, forexample, an optical disc, magnetic disk, or flash memory. Also, thecomputer program may be represented by a signal, such as an optic signalor an electro-magnetic signal, carried by a transmission medium such asan optic fiber cable or the air. The computer program may partly orentirely have the form of source code, object code, or pseudo code,suitable for being executed by a computer system. For example, the codemay be directly executable by one or more processors. Alternatively, thecode may be interpreted by an interpreter that is executed by one ormore processors. It will be understood that portions of the systemsdescribed herein may be implemented in form of software. Moreover, themethod steps described herein may be implemented partially or completelyin software. The software may be organized by means of subroutines. Thesubroutines may be combined to form a standalone executable program.Alternatively, the subroutines may be organized as a dynamicallylinkable library. A main program executable file may be provided thatuses the subroutines from the dynamically linkable library. Each of theprocessing steps and/or system components described herein may berepresented by executable code, be it in a dynamically linked library orin an executable file. Some, or all, of the functionality may beimplemented as part of an operating system, some functionality may beimplemented in a dynamically linked library, and some functionality maybe implemented as an application program file.

The examples and embodiments described herein serve to illustrate ratherthan limit the invention. The person skilled in the art will be able todesign alternative embodiments without departing from the scope of theclaims. Reference signs placed in parentheses in the claims shall not beinterpreted to limit the scope of the claims. Items described asseparate entities in the claims or the description may be implemented asa single hardware or software item combining the features of the itemsdescribed.

The invention claimed is:
 1. A system for secure processing of data byperforming a secure sequence of n transformations Ti, wherein i=1, . . .,n, of a data value w0, using encrypted representations of the datavalue to obtain a secure outcome, the system comprising a memorycommunicatively coupled to a processor and a non-transitory computerreadable medium including instructions for causing the processor to:perform a first transformation that applies the first transformation tothe data value w0 to obtain an obfuscated representation (X0, Y0) of w0,wherein the obfuscated representation (X0, Y0) contains a redundancythat depends on an input variable r; perform a second transformationthat, for each of i=1, . . . ,n−1, applies the second transformation uito compute (Xi, Yi) from (X(i−1),Y(i−1)), such that (Xi, Yi)=ui((X(i−1),Y(i−1))); perform a third transformation G that depends on X(n−1),Y(n−1), and r, by computing wn=G(X(n−1), Y(n−1), r), to obtain thesecure outcome, wherein wn=Tn∘ . . . ∘T1 (w0), the third transformationbeing performed by applying a fourth transformation un such thatXn=un(X(n−1), Y(n−1)), and a fifth transformation F that depends on Xnand r, by computing wn=F(Xn, r), to obtain the value of w_(n); and causeoutput of the secure outcome, wherein (X_(i), Y_(i))=Ψ_(i)(w_(i),σ_(i)), for i=0,1,. . . ,n, wherein Ψ_(i) is a predefined obfuscationfunction that defines a one-to-one relation between (X_(i), Y_(i)) and(w_(i),σ_(i)), w_(i), being processed data and σ_(i), being redundantstate variable for obfuscating w_(i), and wherein Ψ_(i) satisfies acondition that there is a one-to-one mapping that maps any value of(X_(i), σ_(i)) to a value of (w_(i), Y_(i)) in such a way that (X_(i),Y_(i))=Ψ_(i)(w_(i), σ_(i)) such that a change of X_(i), or Y_(i) causesa change of the redundant state variable σ_(i) and makes unpredictablethe secure outcome, wherein σ₀ depends on r, whereinw_(i)=T_(i)(w_((i−1))) and σ_(i)=g_(i)(σ_((i−1))) for i=1, . . . , n,for predetermined functions T_(i) and g_(i), and wherein the firsttransformation, the second transformation, and the third transformationobfuscate the values of w₁, . . . ,w_((n−1)) and σ₀, . . . σ_(n).
 2. Thesystem according to claim 1, wherein (X_(i), Y_(i))=Ψ_(i)(w_(i), σ_(i)is defined as follows for i=0,1, . . . ,n:X _(i)=Ψ_(i) ^(X)(A _(i)(φ_(i) ¹(w _(i)))⊕B hd —i(φ_(i) ²(σ_(i))))Y _(i)=Ψ_(i) ^(Y)(C _(i)(φ_(i) ¹(w _(i)))⊕D _(i)(φ_(i) ²(σ_(i))))Wherein ⊕ is an operator, A_(i), B_(i), C_(i), and D_(i) are operatorsthat are linear with respect to the operator ⊕, the operators A_(n) andD_(n) are invertible, and an operator E_(i) that maps (u, v) to(A_(i)(u) ⊕B_(i)(v), C_(i)(u)⊕D_(i)(v)) is invertible; and Ψ_(i)^(X),Ψ_(i) ^(Y),φ_(i) ¹, and φ_(i) ² are invertible mappings.
 3. Thesystem of claim 2, wherein the operator ⊕ is a bitwise XOR operation. 4.The system of claim 1, wherein r equals w₀.
 5. The system of claim 1,wherein g_((n−1))∘ . . . ∘g₁ is an identity function.
 6. The system ofclaim 1, wherein at least one of the first, second, and thirdtransformations are implemented by at least one pre-computed look-uptable.
 7. A method of providing a system for secure processing of databy performing a secure sequence of n transformations T_(i), wherein i=1,. . . ,n, to a data value, using encrypted representations of the datavalue to obtain a secure outcome, the method comprising acts of:providing a processor; configuring the processor to apply a firsttransformation to the data value w₀ to obtain an obfuscatedrepresentation (X₀, Y₀) of w₀, wherein the obfuscated representation(X₀, Y₀) contains a redundancy that depends on an input variable r;configuring the processor to, for each of i=1, . . . ,n−1, apply asecond transformation u _(i), to compute (X_(i), Y_(i)) from (X_((i−1)),Y_((i−1))), such that (X_(i), Y_(i))=u_(i)(X_((i−1)), Y_((i−1))); andconfiguring the processor to apply a third transformation G that dependson X_((n−1)), Y_((n−1)), and r, by computing w_(n)=G(X_((i−1)),Y_((i−)),r), to obtain the secure outcome, wherein w_(n)=T_(n)∘ . . .∘T₁ (w₀), the third transformation being performed by applying a fourthtransformation u_(n) such that X_(n)=u_(n)(X_((n−1)), Y_((n−1))), and afifth transformation F that depends on X_(n) and r, by computingw_(n)=F(X_(n),r), to obtain the value of w_(n); and outputting of thesecure outcome, wherein (X_(i), Y_(i))=Ψ_(i)(w_(i), σ_(i)), for i=0,1, .. . ,n, wherein Ψ_i is a predefined obfuscation function that defines aone-to-one relation between (X_(i), Y_(i)) and (w_(i), σ_(i)), w_(i)being processed data and σ_(i) being redundant state variable forobfuscating w_(i), and wherein Ψ_(i) satisfies a condition that there isa one-to-one mapping that maps any value of (X_(i), σ_(i)) to a value of(w_(i), Y_(i)) in such a way that (X_(i), Y_(i))=Ψ_(i)(w_(i), σ_(i))such that a change of X_(i) or Y_(i) causes a change of the redundantstate variable σ_(i) and makes unpredictable the secure outcome of thesequence of transformations w_(n), wherein σ₀ depends on r, whereinw_(i)=T_(i)(w_((i−1) and σ) _(i)=g_(i) (σ_((i−1))) for i=1, . . . ,n forpredetermined functions T_(i) and g_(i), and wherein the firsttransformation means, the second transformation means, and the thirdtransformation means are configured to obfuscate the values of w₁, . . .,w_((n−1)) and σ₀, . . . σ_(n).
 8. The method of claim 7, wherein requals w₀, and wherein the act of configuring the processor to apply thefirst transformation comprises computing at least one look-up tablerepresenting a mapping of values of w₀ to corresponding values of (X₀,Y₀).
 9. The method of claim 7, wherein the act of configuring theprocessor to apply the second transformation comprises computing atleast one look-up table of at least one of the functions u _(i), whereinthe look-up table maps values of (X_((i−1)),Y_((i−1))) to values of(X_(i),Y_(i)), by computing (X_(i), Y_(i))=u_(i)(X_((i−1)),Y_((i−1)))=Ψ_(i)(T_(i)(Ψ_((i−1)) ^(inverse)(X_((i−1)), Y_((i−1)))),g_(i)(Ψ(i−1) ^(inverse)(X_((i−1)), Y_((i−1))))), wherein Ψ_((i−1))^(inverse) is an inverse of Ψ_((i−1)).
 10. The method of claim 7,wherein (X_(I), Y_(i))=Ψ_(i)(w_(I), σ_(I)) is defined as follows:X _(i)=Ψ_(i) ^(X)(A _(i)(φ_(i) ¹(w _(i)))⊕B _(i)(φ_(i) ²(σ_(i))))Y _(i)=Ψ_(i) ^(Y)(C _(i)(φ_(i) ¹(w _(i)))⊕D _(i)(φ_(i) ²(σ_(i))))Wherein ⊕ is an operator, A_(i), B_(i), C_(i), and D_(i) are operatorsthat are linear with respect to the operator ⊕, the operators A_(n) andD_(n) are invertible, and an operator E_(i) that maps (u,v) to(A_(i)(u)⊕B_(i)(v),C_(i)(u)⊕D_(i)(v)) is invertible; and Ψ_(i) ^(X),Ψ_(i) ^(Y), φ_(i) ¹, and φ_(i) ² are invertible mappings; and whereinthe act of configuring the processor to apply the second transformationcomprises computing at least one look-up table of at least one of thefunctions u _(i), wherein the look-up table maps values of (X_((i−1)),Y_((i−1))) to values of (X_(i), Y_(i)), by computing (X_(i),Y_(i))=u_(i)(X_((i−1)), Y_((i−1)))=f_(i)(T_(i)(f_((i−1))^(inverse)(X_((i−1)), Y_((i−1)))), g_(i)(f_((i−1)) ^(inverse)(X_((i−1)),Y_((i−1))))), wherein f_(i) denotes a function defined by f_(i)(w_(i),σ_(i))=(Ψ_(i) ^(X)(A_(i)(φ_(i) ¹(w_(i)))⊕B_(i)(φ_(i) ²(σ_(i)))), Ψ_(i)^(Y)(C_(i)(φ^(i1)(w_(i)))⊕D_(i)(φ_(i) ²(σ_(i))))), and f_((i−))^(inverse) is an inverse of f_((i−)).
 11. The method of claim 7, whereinr equals w_0, and wherein the act of configuring the processor to applythe third transformation comprises computing at least one look-up tablerepresenting the function G, wherein the at least one look-up table mapstuples of (X_((i−1)), Y_((i−1 ),w) ₀) to corresponding values ofw_(n)=G(X_((i−1)), Y_((i−1)),w₀).
 12. A method of secure processing ofdata by performing a secure sequence of n transformations T_(i), whereini=1, . . . ,n, to a data value to obtain a secure outcome, usingencrypted representations of the data value, comprising acts of:applying a first transformation to the data value w₀ to obtain anobfuscated representation(X₀, Y₀) of w₀, wherein the obfuscatedrepresentation contains a redundancy that depends on an input variabler; for each of i=1, . . . ,n−1, applying a second transformation u _(i)to compute (X_(i), Y_(i)) from (X_((i−1)), Y_((i−1))), such that (X_(i),Y_(i))=u_(i)(X_((i−1)), Y_((i−1))); and applying a third transformationG that depends on X_((n−1)), Y_((n−1)), and r, by computingw_(n)=G(X_((i−1)), Y_((i−1)), r), to obtain the secure outcome of thesequence of transformations, wherein w_(n)=T_(n)∘ . . . ∘T₁(w₀), thethird transformation being performed by applying a fourth transformationu_(n) such that X_(n)=u_(n)(X_((n−1)), Y_((n−1))), and a fifthtransformation F that depends on X_(n) and r, by computingw_(n)=F(X_(n), r), to obtain the value of w_(n); and outputting of thesecure outcome, wherein (X_(i), Y_(i))=Ψ_(i)(w_(i), σ_(i)), for i=0,1, .. . ,n, wherein Ψ_(i) is a predefined obfuscation function that definesa one-to-one relation between (X_(i), Y_(i)) and (w_(i),σ_(i)), w_(i)being processed data and σ_(i) being redundant state variable forobfuscating w_(i), and wherein Ψ_(i) satisfies a condition that there isa one-to-one mapping that maps any value of (X_(i), σ_(i)) to a value of(w_(i), Y_(i)) in such a way that (X_(i), Y_(i))=Ψ_(i)(w_(i), σ_(i))such that a change of X_(i) or Y_(i) causes a change of the redundantstate variable σ_(i) and makes unpredictable the secure outcome, whereinσ₀ depends on r, and wherein w_(i)=T_(i)(w_((i−1))) andσ_(i)=g_(i)(σ_((i−1))) for i=1, . . . ,n for predetermined functionsT_(i) and g_(i), wherein w₁, . . . , w_((n−1)) and σ₀, . . . σ_(n) areobfuscated in the acts of applying the first, second and thirdtransformations.